RDP protocol allows interactive access to systems from remote users. Often it is exposed directly to the internet in order to permit mobile users to connect to the systems.
Recently it was discovered a vulnerability that allows unauthorized users to execute malicious code: this vulnerability is patched by Microsoft via MS12-20. Vulnerability has been classified as critical.
The vulnerability applies to most versions of Microsoft Windows.
- The vulnerability allows remote code execution from an unauthenticated attacker.
- Often, RDP is permitted in from the Internet on the default port to manage various systems.
- Once an exploit becomes available, attackers can easily exploit the vulnerability on exposed and unpatched systems. Automated attacks are possible.
- It’s not all about attacks from the Internet; internally exposed RDP servers can be targeted by malicious internal users or by malware in case an internal machine becomes infected.
Please refer to http://aluigi.org/adv/termdd_1-adv.txt to read exploit details.
If you want to test the Proof Of Concept you can follow this How To:
- Start a Virtual Machine running a Windows Operating System
- If not, enable Remote Desktop on the Virtual Machine
- Be sure you can reach the Virtual Machine from your host system (i.e.: ping 10.10.10.1)
- Download POC file from here (termdd_1.dat)
- Use NetCat to connect to the Virtual Server sending exploit packet:
nc 10.10.10.1 3389 < termdd_1.dat
- Try several times to got Blue Screen of Death.
There are also several POC written in Ruby and available on pastebin.com: just copy and paste the code in a text file called rdpexploit.rb and set Ruby path (first line of the code must match your Ruby binary path). You need Ruby installed on the system to use it ! 🙂
Read Microsoft Security Bulletin for MS12-20